22


Chapter 2. SELinux Policy Overview


policy writers gain flexibility, modularity, shared quality control, and central management for complex


pieces of policy.


Macros do not exist in the


policy.conf


file, as that file represents the exploded macro


policy code. It is possible to work backward in finding where a particular


policy.conf


entry exists. If a daemon has a rule that you cannot find in the associated TE file at


$SELINUX_SRC/domains/program/ foo .te


, then it is likely to be found in the macros. This


2


3


section first explains the syntax and usage of a macro, then discusses the analysis method in more


detail.


You can find more resources about


m4


from the manual page


man m4


, installed documentation at


/usr/share/doc/m4  version


, and through the resources listed in Chapter 9 References. Some


2


3


of the specific macros used in the targeted policy are explained in Section 3.4 Common Macros in the


Targeted Policy.


This usage example shows the first few lines from the Apache HTTP macro file,


$SELINUX_SRC/macros/program/apache_macros.te


:


define(`apache_domain', `


#This type is for webpages


#


type httpd_$1_content_t, file_type, homedirfile, httpdcontent, \


sysadmfile;


ifelse($1, sys, `


typealias httpd_sys_content_t alias httpd_sysadm_content_t;


')


# This type is used for .htaccess files


#


type httpd_$1_htaccess_t, file_type, sysadmfile;


...


The


define(`apache_domain',`


is


the


beginning


of


the


macro


definition.


Inside the definition, the


$1


represents the parameter passed to the macro. Look in


$SELINUX_SRC/domains/program/apache.te


, which has the following invocation:


apache_domain(sys)


This single line then generates a large set of types and rules, substituting the passed parameter


sys


for every


$1


:


type httpd_$1_htaccess_t, file_type, sysadmfile;  > \


type httpd_sys_htaccess_t, file_type, sysadmfile;


type httpd_$1_script_exec_t, file_type, sysadmfile  > \


type httpd_sys_script_exec_t, file_type, sysadmfile


role system_r types httpd_$1_script_t;  > \


role system_r types httpd_sys_script_t;


...


2.9.1. How To Backtrack a Rule


To find how a rule is derived from a macro, follow this approach. Take a rule you are curious about:


allow httpd_t httpd_suexec_t:process transition;


...


type_transition httpd_t httpd_suexec_exec_t:process httpd_suexec_t;








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved